payload
Version:
Node, React, Headless CMS and Application Framework built on Next.js
51 lines (50 loc) • 1.5 kB
JavaScript
import { executeAccess } from '../auth/executeAccess.js';
import { Forbidden } from '../errors/Forbidden.js';
export const checkFileAccess = async ({ collection, filename, req })=>{
if (filename.includes('../') || filename.includes('..\\')) {
throw new Forbidden(req.t);
}
const { config } = collection;
const accessResult = await executeAccess({
data: {
filename
},
isReadingStaticFile: true,
req
}, config.access.read);
if (typeof accessResult === 'object') {
const queryToBuild = {
and: [
{
or: [
{
filename: {
equals: filename
}
}
]
},
accessResult
]
};
if (config.upload.imageSizes) {
config.upload.imageSizes.forEach(({ name })=>{
queryToBuild.and?.[0]?.or?.push({
[`sizes.${name}.filename`]: {
equals: filename
}
});
});
}
const doc = await req.payload.db.findOne({
collection: config.slug,
req,
where: queryToBuild
});
if (!doc) {
throw new Forbidden(req.t);
}
return doc;
}
};
//# sourceMappingURL=checkFileAccess.js.map